Cybersecurity an Obligation at the CEO and Board Level

Sheldon Cuffie, vice president of information risk at Northwestern Mutual, knew cybersecurity was moving up in the world when a board member invited him to lunch.

“Two years ago the chief information security officer (CISO) didn’t attend board meetings, didn’t talk to our leadership team,” he said at the Fusion Executive Summit in Madison, produced by WTN Media.

“This is now a standing topic on the board committee agenda, and for the first time this year as CISO, I presented to the full board of Northwestern Mutual. When we think about cybersecurity, I like to think of cyber risk as just another risk that companies have to manage. If you are not managing cyber risk just as you would manage building risk, liability and sales force risk, you are probably missing the boat.”

Learning About Today’s Risk Environment

Blaise Beaulier, vice president for enterprise and support at Northwestern Mutual, said that before Cuffie arrived, the company had been focused on metrics.

“What Sheldon has done is bring education to the board room,” said Beaulier. “He talks about the top ten priorities of the regulatory bodies, and then goes through them to educate the board on what the regulators are looking for. It’s a very different conversation, not focused on audit items, but what we are doing to prepare ourselves, what are regulators looking for, and how are we addressing it.”

As an asset manager and an insurer, Northwestern Mutual is regulated by the Feds and by the insurance commissioners in 50 states, said Cuffie. Some of the regulations or guidelines conflict with each other, but mostly they say the same things in slightly different ways.

“Our philosophy is that we will meet regulatory minimums, but that is not our benchmark because regulatory minimums don’t mean you are secure.”

Beaulier said he and Cuffie are partnering more closely to cope with the increased speed of change.

“Sheldon can look for best practices and then give them to me with 1,600 people, and we can adopt them.” Joint teams visit any outsourcing facility to examine its security measures.

Also, Cuffie said his organization is not solely responsible for risk.

“That was okay in a ‘protect and defend’ mindset, but now we have moved to more of an intelligence mindset. Information protection is a team sport and we are facilitators. We don’t own the business risk; we help the owners do a better job of managing the risk.”

He recalled a board meeting where he was sitting next to the chairman of a Fortune 500 committee and said that if a state sponsored attacker came after the company, there is nothing he could do about it.

“We could have destruction of financial assets. We have quite a bit of information that is collected during underwriting — we would not want that leaked, so we put additional security around it.” Major breaches of customer information have occurred in health insurance, he added.

“Not so much in financial services, but it will.”

It’s going to happen because not everybody takes cybersecurity seriously enough, said Beaulier.

Adopting Best Practices for Preparation

“Prior to 911, I don’t recall doing table-top exercises. Now we do them regularly. Until two or two and a half years ago, the exercises were around physical events like a crane falling into a building. Two months ago during an exercise, I was summoned into a room, told it was an exercise: the electric and heat went out in all our buildings. We restored it, and got a message the next day demanding $10 million or they would again take our buildings out. We had five hours to develop a response. An outside facilitator runs these exercises. We run them every three months and now have changed to cyber attacks.”

During one exercise when the network was penetrated, Beaulier shut it down; on the same exercise but in a different room, Cuffie kept the network up. They didn’t say how they resolved that difference.

Vendors and even suppliers to their vendors, are coming under scrutiny. Cuffie said he had five people working full-time on third party vendors.

“We used to rely on internal auditors to do those visits, now we want to look at their infrastructure through the lens of technology.”

Locking Down Security

Northwestern Mutual specifies the locations where data can be held, said Beaulier.

“They cannot move it to another location, you cannot have USB ports on your computers, no phones, card access only.” If they have a printer in the development center it has to use colored paper so security staff can spot someone leaving with confidential information.

Banking has changed since the great recession, said Guy Ringle, senior vice president at Associated Bank and director of bank operations. One good outcome is boards are focused on risk and compliance. Board participation in IT strategy is higher than ever, he said, and board members are very interested in the bank’s cyber defense center, a very visible investment.

Assessing the Risk Chain

Associated Bank has to do a scorecard for each critical vendor, said Ringle, including their disaster recovery programs, third party audits and SLA (Service Level Agreement) performance.

“We have to provide evidence to the regulators on each of our critical vendors, and we have to update it annually. Some vendors won’t share that information, which means they cannot work with us.”

The bank has someone in each line of business who is responsible for risk management, said Ringle.

“Our organization also has a business change risk committee that looks at every significant change in the company.”

The participants are risk managers from the support areas that are responsible for executing those changes, he explains. That gives a lot of transparency across the organization to make sure we are doing the right risk mitigation and testing.”